Adaptive 802.15.4 Security #1703
Conversation
apps/reboot-app/Makefile.reboot-app
Outdated
| @@ -0,0 +1 @@ | |||
| reboot-app_src = reboot-app.c | |||
|
Please also include the |
core/lib/csprng.c
Outdated
| #include <string.h> | ||
|
|
||
| #ifndef MIN | ||
| #define MIN(a, b) (((a) < (b)) ? (a) : (b)) |
There was a problem hiding this comment.
This is already defined in sys/cc.h, see here.
|
There is a frequency hopping block in |
|
Thanks for your comments. I will try to address them. Concerning |
|
I applied the changes you suggested. Travis should pass after a restart. |
|
I think it is also a good idea to remove |
| #of the slip connection. Large MSS together with low baud rates without flow | ||
| #control will overrun the transmit buffer when the style sheet is requested. | ||
|
|
||
| WITH_WEBSERVER=0 |
There was a problem hiding this comment.
Using WITH_WEBSERVER=webserver produces the following error:
../../../../apps/webserver/httpd-cgi.c:158:11: error: 'uip_conns' undeclared (first use in this function)
conn = &uip_conns[s->u.count];
^
../../../../apps/webserver/httpd-cgi.c:158:11: note: each undeclared identifier is reported only once for each function it appears in
../../../../apps/webserver/httpd-cgi.c: In function 'tcp_stats':
../../../../apps/webserver/httpd-cgi.c:197:9: error: 'uip_conns' undeclared (first use in this function)
There was a problem hiding this comment.
This is probably because I disabled TCP in the corresponding project-conf.h. Also, note that I did not copy some files that are required for enabling the web server over to this example folder. I could do so if you like.
|
I'm testing using 2 nodes with the broadcast application running, I have a couple of questions (sorry in advance if this is something obvious):
|
|
Thanks for testing. Indeed, it is expected that you see |
|
Thanks for the fast response. I don't have a concrete preference, but to try to follow how an user would test the application based on what is documented. I think just adding a note about enabling back TCP should do. I will continue testing, thanks! |
|
Building Nothing is received with |
|
Is llsec supposed to be working on all platforms, theoretically? We had limited success testing earlier version of llsec in econotag. If you 14 జూన్ 2016 4:49 AMన, "Benoît Thébaudeau" notifications@github.com
|
|
@bthebaudeau Regarding @vamsi-chikati Porting the |
|
@kkrentz send me an email and we'll fix your lack of |
| /* set CCA thresholds */ | ||
| #undef CC2420_CONF_CCA_THRESH | ||
| #define CC2420_CONF_CCA_THRESH -25 | ||
| #undef CC2538_RF_CONF_CCA_THRES |
There was a problem hiding this comment.
Does this changes anything? checking the cc2538-rf there is:
#ifdef CC2538_RF_CONF_CCA_THRES
#define CC2538_RF_CCA_THRES CC2538_RF_CONF_CCA_THRES
#else
#define CC2538_RF_CCA_THRES CCA_THRES_USER_GUIDE /** User guide recommendation */
#endif /* CC2538_RF_CONF_CCA_THRES */
But in the actual code is pretty much hard-coded
REG(RFCORE_XREG_CCACTRL0) = CC2538_RF_CCA_THRES_USER_GUIDE;
|
@kkrentz With |
|
Hi folks. The bullets in the OP are things that need solved. However, I am finding it very difficult to understand the reasoning behind some of the commits proposed here. This includes all the pub-sub business and also the reboot app. I cannot immediately understand why we need an LLsec-specific border router example. All I see that you enclose entire .c files inside #if guards. Is this really required? In other words, will the file fail to compile if those macros are not set? I am finding it difficult to understand how you are deriving pairwise keys. Is this some sort of key agreement? If so, is this something well-established? Is this something that you have designed / published yourself? For channel-hopping in the respective seeder, best not hard-code channels in [11, 26], since we are getting traction with sub-ghz radios. Perhaps get min/max through the radio API ( Generally speaking, security and crypto are things difficult to understand (and to therefore configure properly based on requirements). In this context, some documentation would be nice :) That's a general comment that applies to what we already have on master by the way. Lastly, perhaps of zero consequence, those "Your Name committed" don't look very nice |
|
|
Updates:
|
|
@g-oikonomou I was able to remove a couple of #if guards, but removing the remaining ones would cause compiler errors and warnings. |
|
I've tested this update with
|
|
I confirm that |
|
@bthebaudeau Is there anything left that does not work for you? |
|
@kkrentz Now, my Zoul Firefly boards can successfully send and receive messages with all the supported |
|
@bthebaudeau I also encountered reliability issues with ContikiMAC, but they seem to be independent of |
- Corrected the number of padding bytes (presently there are always 2 padding bytes too less) - Removed "struct hdr" to avoid undefined behavior - Reduced the length of the ContikiMAC header to 1 byte (we only send the original datalen now) - For compatibility with adaptivesec, padding bytes are added after securing and removed before unsecuring (this necessitates unsecuring within NETSTACK_LLSEC.input())
|
AdaptiveSec seems to be already available on cetic/6lbr, why is it taking so long to get integrated into Contiki mainline? |
|
I, meanwhile, ported adaptivesec, along with my implementations of ContikiMAC and CSL to Contiki-NG https://github.com/kkrentz/contiki-ng. I will create a new pull request there. |
|
Excellent kkrentz. Your efforts to bring Contiki towards IIoT-level robustness are invaluable. I have a couple of comment-questions:
I'm sure you're aware of it, however. |
|
@kkrentz , thanks for the update. Please also inform us if you could, about the new pull request in contiki-ng. |
|
@kkrentz will the CSL work for cc26xx-cc13xx cpu drivers? |
|
@firmwareguru I have little hope that we can add compromise resilience to TSCH anytime soon. Even if TSCH was changed to use pairwise keys, its time synchronization could still be attacked by compromised nodes. Because of this, I rather added channel hopping (and other nice features) to CSL. Regarding the paper, I think I saw this paper a long time ago. They are using unauthenticated ECDH and hence do not prevent unauthorized nodes from joining the network. Another limitation is that ECDH is quite energy- and time-consuming. By contrast, our system ensures authorization and avoids public-key cryptography. @amitbhanja For the time being, I only implemented a driver for the CC2538: https://github.com/kkrentz/contiki-ng/blob/master/arch/cpu/cc2538/dev/cc2538-rf-async.c. |
|
@kkrentz , Thanks for the info. I was actually trying the adaptivesec (https://github.com/kkrentz/contiki) with rpl-border-router. The border router is on cc1310 and sensortag on cc1350. I enabled the prints of the security module. #include "net/llsec/adaptivesec/coresec-autoconf.h" #define AKES_SINGLE_CONF_KEY { 0x12 , 0x37 , 0x59 , 0x65 , #undef CSPRNG_CONF_SEEDER #undef CONTIKIMAC_CONF_WITH_PHASE_OPTIMIZATION #undef NETSTACK_CONF_FRAMER I tried the above with both phase optimization and without that. However, I always get the prints of the ACK being received. But then a series of Invalid ACK prints, which I believe is because the entry becomes permanent and then it is not any more tentative. There has been occasions of ACK was not acknowledged prints. This i believe is because of no mac layer acknowledgments being sent. Would this be an issue? but after that, I dont see the sicslowpan connection getting through. Dont see any sicslowpan input prints on either side. Could you give some idea about what could be the issue? |
|
This sounds like the ACK is not being acknowledged, although it was received successfully ... |
|
@amitbhanja I am looking at using adaptivesec + contikimac + cc13xx too; please update here any advances or resolutions, as will I. |
|
@kkrentz CSL-MAC: A low power channel hopping MAC with adaptive security and compromise resiliency? Sounds great. Where is it, and how can we get it rolled into here, or Contiki-NG, which seems to have only TSCH as the MAC layer?? |
|
I opened a PR for merging CSL into Contiki-NG contiki-ng/contiki-ng#506 |
|
Hello @kkrentz , I have been using the adaptivesec protocol from ur github repository https://github.com/kkrentz/contiki. Thanks a lot for providing this. It is working fine. I have a setup with border router and 6 nodes. The nodes send data every 1 minute. There is a mechanism I implemented which deletes the parent from the neighbor list if UPDATE ACK is not received after two checks of update interval. After about 2 days, it has been observed that even though node is sending HELLO message with a different session key than what was present due to deletion of the border router from neighbor table, the border router is identifying it as new session with permanent neighbor but the HELLO ACK being sent is not received at the node. This is creating issue with starting a new session with the border router. |
|
Hello,
thanks for using adaptivesec. It may happen that a HELLOACK is silently
discarded because there is no need to start a new session. Maybe this
mechanism interferes with your deletion of parents. I do not know what you
are trying to achieve, but, normally, it is unnecessary to delete neighbors
by hand since akes-delete.c already takes care of deleting uncommunicative
neighbors. To trace down the problem, it would be useful to have the DEBUG
output of akes.c. Also, I would need to know what MAC protocol, platform,
and seeder you are using.
That said, I meanwhile ported adaptivesec to Contiki-NG and
actually stopped maintaining my Contiki repository. You can find the
latest version there: https://github.com/kkrentz/contiki-ng,
https://github.com/kkrentz/contiki-ng/wiki/CSL. As Contiki-NG also contains
a lot of other fixes to Contiki, it probably makes sense for you to move to
Contiki-NG, too.
Kind Regards
Konrad
2018-07-23 7:31 GMT+02:00 Amit Bhanja <notifications@github.com>:
… Hello @kkrentz <https://github.com/kkrentz> , I have been using the
adaptivesec protocol from ur github repository https://github.com/kkrentz/
contiki. Thanks a lot for providing this. It is working fine. I have a
setup with border router and 6 nodes. The nodes send data every 1 minute.
There is a mechanism I implemented which deletes the parent from the
neighbor list if UPDATE ACK is not received after two checks of update
interval. After about 2 days, it has been observed that even though node is
sending HELLO message with a different session key than what was present
due to deletion of the border router from neighbor table, the border router
is identifying it as new session with permanent neighbor but the HELLO ACK
being sent is not received at the node. This is creating issue with
starting a new session with the border router.
Could you give any tip about why it is happening?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1703 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABPxfI47E78gUJUXviKQnteuJYpZn8jrks5uJV-XgaJpZM4ItY88>
.
|
|
Hi @kkrentz , Thanks for your quick response. From the node: Line 1: akes-delete: #permanent = 1 From the border router: I have some prints at the input of adaptivesec to check if any packet has been received. Kindly please provide your inputs. I will try to move to contiki-ng meanwhile. |
|
The problem seems to be outside of adaptivesec. It could be due to ContikiMAC, which is known to suffer from some timing issues. Besides, I have also encountered a lot of trouble with CSMA in the past. If you are using a CC2538-based platform, you may try my CSL implementation https://github.com/kkrentz/contiki-ng/wiki/CSL instead. |
|
@kkrentz , thanks a lot for your advice. I am actually using srf06-cc26xx platform. What settings would you suggest to enable in contiki-ng for proper working? I am observing in the original contiki version that after using security, there have been issues of sometimes no packet being received at the gateway. Upon restarting those nodes, packets are being received. It seems to be issues with contikimac along with radio driver. Well , I will test with contiki-ng. Please recommend what settings to do for cc26xx platforms. |
Currently, the
noncoresec_driverhas various problems:This pull request adds the
adaptivesec_driver, which avoids the problems above by establishing session keys. For usage details, see https://github.com/kkrentz/contiki/tree/adaptivesec/core/net/llsec/adaptivesec.